Informed P2P User Act to clamp down on filesharing software

Bipartisanship has been hard to come by in Washington of late. Still, the bipartisan dream has not completely died, as proved yesterday in the House Energy and Commerce committee, which marked up the "Informed P2P User Act" (PDF) and sent it on to the full House for a vote.

The bill, which has wide support on both sides of the aisle, does two simple things. First, it requires P2P software vendors to provide "clear and conspicuous" notice about the files being shared by the software and then obtain user consent for sharing them. Second, it prohibits P2P programs from being exceptionally sneaky; surreptitious installs are forbidden, and the software cannot prevent users from removing it.

Rep. Henry Waxman (D-CA), the powerful committee chairman, opened the markup session by warning about "the danger of inadvertent sharing of sensitive information through the use, or misuse, of certain file sharing programs. Tax returns, medical files, and even classified government documents have been found on these networks. The purpose of H.R. 1319 is to reduce inadvertent disclosures of sensitive information by making the users of this software more aware of the risks involved."

The bill, sponsored by members of both parties, had a rather general first draft. The definition of P2P software, for instance, included all programs that could:

Designate files available for transmission to another computer;

Transmit files directly to another computer; and

Request the transmission of files from another computer.

This sounds like a lot of software, including OS file-sharing and networking tools. During yesterday's markup, Rep. Jay Inslee (D-WA) wanted to make sure that the definition wasn't so broad that it unintentionally incorporated other useful software, and he got his wish; the amended version that escaped from the committee contained a much longer and more detailed definition, complete with a set of software explicitly not covered by the bill.

Given what's going on over in the House Committee on Oversight and Government Reform, P2P vendors like LimeWire would strongly prefer this be the only bill on the subject. Edolphus Towns (D-NY), who chairs Government Reform, has been rumbling all year about P2P; back in July, he warned that P2P software was too often "predator-to-prey" and that "the days of self-regulation should be over for the file-sharing industry." He has also called for a ban on LimeWire-style applications on all government and government contractor computers, due to worries about inadvertently sharing sensitive information with the world.

The Energy and Commerce bill, by contrast, simply tries make sure that people know what they're sharing, and that they know what software is installed on their machines. It's a modest bill (and quite short); with strong bipartisan support and the endorsement of the committee, the "Informed P2P User Act" stands a good chance of passing the House.

48 Reader Comments

Before anyone goes nuts - the motivation for this bill is the massive number of information leaks caused by retarded government employees who install P2P programs on computers with confidential information.

This bill has nothing to do with the RIAA, although it might help their court cases. It will be harder for defendants to claim ignorance as to what files they are sharing.

The part of the bill to keep software like Limewire off government machines, or business that have government contracts, is fine by me. Too many people let viruses and spyware into their computer already, and we don't need the potential for massive amounts of sensitive data to be leaked.

The other part though that all software must have a warning is ridiculous and will only affect already regulated companies which are not responsible for most of the high volume file sharing, i.e. Limewire Inc.

Re: RIAA, it's the first thing that I thought upon reading this. I'm sure there has been no whispering in the ears of the committe members... Even though I believe the motivation you cited is probably correct, the RIAA must be quietly enjoying this proposed legislation. Others may choose to see the RIAA behind it all the way /shrug.

Otherwise, it sounds innocuous enough - so long as it's not too cumbersome for people who know what they're doing, more disclosure is good.

This doesn't seem to be anything too major (although I do wish my reps were spending my tax dollars differently, but that's a different issue).

I certainly don't see anything wrong with the bill. A lot of people jump onto the P2P bandwagon without knowing what they're doing, thus we get the "tax forms, medical documents, and government documents" being shared with the webiverse (did I just coin a new term...holy shitballs...prolly not).

I do find it funny that the original bill's P2P software descriptors would've made it include Explorer, though.

I was a DoD employee for 6 years and for three of those years I managed Army divisional infrastructure in a couple of theaters. There are all ready clear and concise rules as to what goes on DoD computers and what they can be used for, and users have to accept these terms before they even get to user authentication, so sounds like a bit of redundancy there.

Originally posted by nikkoa:I appreciate, and applaud, the motive that drives this legislation.

Unfortunately i believe each and every bill restricting what we can and can't do on our computers is a bad thing.

If you don't know about p2p software you probably shouldn't be using it.

Well, I agree that we don't need to legislate every little thing, but the bill that left committee today doesn't in any way affect how P2P programs operate - i.e., what they CAN or CAN'T do, it just requires the vendors to include additional disclosures in the software. For the record, I don't use P2P software precisely because I'm not confident I know enough about how it works (though I learn a lot by reading Ars).

"does not include a program, application, or software designed primarily to— (i) operate as a server that is accessible over the Internet using the Internet Domain Name system;"

It sounds like this would either, 1) apply to every piece of web server software (can be accessed from from DNS, but a necessity...) or 2) not apply to any p2p software, using the same DNS argument, p2p should be able to be accessed over the internet using DNS. Perhaps I am missing something with this exemption?

Originally posted by Not for Eating:"does not include a program, application, or software designed primarily to— (i) operate as a server that is accessible over the Internet using the Internet Domain Name system;"

It sounds like this would either, 1) apply to every piece of web server software (can be accessed from from DNS, but a necessity...) or 2) not apply to any p2p software, using the same DNS argument, p2p should be able to be accessed over the internet using DNS. Perhaps I am missing something with this exemption?

P2P software usually connects via IP and not by hostname, thus DNS is not involved. So whereas IIS operates as a server over the internet, it is accessible via DNS lookup to resolve it's hostname to IP.

The one issue that I see is that it leaves open a bit to interpretation. IE: Yes, IIS can be contacted via hostname, but that is not a requirement. Does that mean it is barred from being accessed by IP alone? Transversely, if a P2P app is capable of making itself available via a hostname than it would not be regulated by this legislation? Part of the problem is that stub may leave out context.

Originally posted by MrHumpty:If this is to keep malicious software off government machines and those who contract with the government just make a policy and procedure to deal with apps.

Making federal law to detail how software should be created is liberty for security.

Tell me how your liberty, in the Thomas Jefferson sense of the word, is affected by the fact that Kazaa would have an extra pop up box or something. The government, either through statutes or via regulatory agencies, controls all kinds of things that affect your day to day life, and and this is pretty tame in comparison.

Originally posted by jupiterkansas:sounds like a bill that would do absolutely nothing.

Is there something else you might expect from Congress?... Full of sound and fury...it's the PR, you see.

I would think this sort of thing would be an administrative responsibility inside government networks. I think the network administrators are more than capable of managing the software they allow on their networks--if not, then they should be trained on how to do it. The fact is that regardless of the passage of this law it's all going to boil down to what the network administrators tolerate, isn't it?

Hopefully, this bill is closed to cover only government networks, as I think it would quickly prove unworkable for the public for a host of reasons. It would become yet another unenforceable Federal law. One day the legislators will learn that "thou canst not legislate software into being"... (Well, we can hope Congress might understand this one day.)

Originally posted by WaltC:Hopefully, this bill is closed to cover only government networks, as I think it would quickly prove unworkable for the public for a host of reasons. It would become yet another unenforceable Federal law etc.

I think it would be quite easy to enforce. A regulator / cop / enforcement agent: a) downloads the latest version of whatever software they were checking that day b) does the default / prompted installation c) notes whether it includes the required settings and disclosures.

Other than deciding exactly which p2p programs to check, what am I missing?

I don't know whether I'd want this to be legislated, just as a matter of pragmatism.

There are lots of software standards that I believe ought to be upheld under penalty of public castigation and ridicule - installers should disclose everything that they do, uninstallers should remove all trace of the application without causing collateral damage, Gator should be banned, autorun executables on music CD's shouldn't install rootkits, and so forth.

I'm just not sure that a federal government mandate is the most practical means of enforcement, though. Personally, I'd prefer to see a "Better Software Bureau" consumer interest group that puts its seal on software that meets these standards.

Originally posted by WaltC:Hopefully, this bill is closed to cover only government networks, as I think it would quickly prove unworkable for the public for a host of reasons. It would become yet another unenforceable Federal law etc.

I think it would be quite easy to enforce. A regulator / cop / enforcement agent: a) downloads the latest version of whatever software they were checking that day b) does the default / prompted installation c) notes whether it includes the required settings and disclosures.

Other than deciding exactly which p2p programs to check, what am I missing?

The fact that not just me, but a lot of other Americans, don't want our taxes paying for some GS-12 jackass to sit around checking P2P software all day.

Bad idea. First, "P2P" were not about sharing files -- people were doing that already. It was about sharing information about the files that could be shared. What we presently know as P2P is just a set of features that, by accident, are commonly bundled together.

And, then, there's the little fact that most of the terminology in use does not mean what the legislators expect it to mean! A "file", for instance. A "file", in computer terminology, refers to a specific way of storing data in persistent storage.

Let's suppose, for instance, that you find a music on YouTube and bring it to a Wave. Is that music a "file"? Have you transmitted from one computer to another? The answers are no, and no. That music is a stream, and its probable storage is a database clob. And if anything got copied besides references, it was copied between servers. And, yet, the actual results are pretty much the same as P2P -- you can inadvertently share stuff, you might not even be aware you may be sharing stuff, and the stuff gets shared.

Great, they are wasting our time, energy, and money with this crap. How the hell do you not know what files you are sharing and what software is installed? Why are we protecting those brain dead consumers who do not read the user manual? All government users should be running as standard, limited accounts with a suitable software restriction policy that prevents them from circumventing security.

Originally posted by DanCapo:The law should have targetted the behavior, not the technology.

Agreed.

A workstation at the office is not your goddamn personal property. You shouldn't be installing jack on it (unless the app has been approved in triplicate and passed through a dozen committees), let alone p2p apps. All this bullcrap about leaked documents is a failure of enforcing EXISTING rules.

The solution IS NOT to pass more rules, it's friggin' enforcing what you already have. Jeez. Stupid users need the book fucking thrown at them.

This is neither a legal nor software problem . It's an administrative one. Why are government employees allowed to install software on their computers? Why do they even have computers and not thin clients?

On second thought, I shouldn't really be surprised about the government shovelling responsibility onto those to which it applies the least.

Would the law specifically contain an exemption for an application which installs when you play a CD in your computer, that transmits details on the P2P applications you have on that computer and the music files on that computer, to a third party?

"does not include a program, application, or software designed primarily to—(i) operate as a server that is accessible over the Internet using the InternetDomain Name system;"

It sounds like this would either, 1) apply to every piece of web server software (can be accessed from from DNS, but a necessity...) or 2) not apply to any p2p software, using the same DNS argument, p2p should be able to be accessed over the internet using DNS. Perhaps I am missing something with this exemption?

It says "designed primarily to". Are web servers normally accessed via DNS? Are P2P clients? As I see it the real problem is that they've chosen DNS and abandoned future proofing and alternative technologies. What about a legacy server that primarily uses e.g. NetBIOS for name resolution? What about some future non-DNS name resolution protocol?

quote:

I wonder how this will affect Freenet, since in essence you have no idea what youre sharing on the network in encrypted form.

The way I read this it seems to only count programs that search your computer and put what it finds on the network. Freenet doesn't do that.

The intent of what they're trying to do here is not ridiculous, even if it is unnecessary and unwise. The problem is in drafting a statute that doesn't have unintended consequences. The fact that they need special exceptions is really what worries me. It excepts servers using DNS, network management and programs that "transmit or receive email messages, instant messaging, real-time audio or video communications, or real-time voice communication". What about network games? What about non-real-time audio/video (e.g. podcasts)? Distributed version control systems? Classes of software that haven't been invented yet?

The real trouble is that they don't define "search" very well. If I make version control software that integrates with my IDE and can detect my existing projects, does that count as "searching" so that it unwittingly gets ensnared by this law?

What this law really needs is a notification requirement: Require whatever agency is responsible for enforcement to notify alleged violators well before any penalties are imposed, and only impose penalties if the developer hasn't modified the software to be compliant within a reasonable period after being notified. That way unwitting developers don't get sucker punched by a law that shouldn't even exist, just because they don't know it does.